You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
docs: record the B1-uplink — OGAR executor wired behind the hard gate
The hard gate is now wired to the executor in rs-graph-llm's new
`graph-flow-action-ogar` seam crate (`GatedOgarHandler` / `run_gated`):
`dispatch_via`'s cold floor (`commit_via`: RBAC ∧ state-guard ∧ MUL) lands
before the OGAR `CapabilityExecutor` runs. The structural proof is a negative —
`take_result()` is `None` whenever the gate refused, so an unauthorized
(`Denied`) or MUL-blocked (`Escalated`) action never reaches the executor.
OGAR owns the executor; rs-graph-llm owns the gate; the seam crate joins them
without OGAR taking a `lance-graph` dep.
- ARAGO-ACTIONHANDLER-PARITY: new B1-uplink §3 bullet + scorecard row (SHIPPED),
verdict note (gate wired to executor), cross-ref to the seam crate.
- DISCOVERY-MAP: new D-ACTIONHANDLER-UPLINK row (G / CODED), cross-ref
D-ACTIONHANDLER-PARITY (append-only; existing row untouched).
- EPIPHANIES: E-ACTIONHANDLER-UPLINK (FINDING) — the load-bearing proof is the
negative test; the coupling lives in the seam, not in graph-flow-action.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_01EYvNjD8M8LMNYbRy3gq2FP
Copy file name to clipboardExpand all lines: .claude/board/EPIPHANIES.md
+39Lines changed: 39 additions & 0 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -7,6 +7,45 @@
7
7
8
8
---
9
9
10
+
## 2026-06-24 — E-ACTIONHANDLER-UPLINK — the hard gate is wired to the executor without OGAR ever taking a `lance-graph` dep: OGAR owns the executor, rs-graph-llm owns the gate, one seam crate joins them
11
+
12
+
**Status:** FINDING (`[G]`, 3 tests).
13
+
14
+
Operator directive: "make the hard actionhandler in OGAR as is but also 'uplink'
15
+
into rs-graph-llm so there's a hard gated contract before it lands." The shape
16
+
that satisfies it without violating either repo's dependency hygiene:
17
+
18
+
-**OGAR owns the executor.**`CapabilityExecutor` (e.g.
19
+
`ogar-action-handler::NativeCommandExecutor`) is the only piece that does real
20
+
I/O — it runs the capability and returns `resultParameters`. It carries no
21
+
authorization logic and no `lance-graph` dep.
22
+
-**rs-graph-llm owns the hard gate.**`graph-flow-action::dispatch_via` runs the
-**A third crate is the seam.** New `graph-flow-action-ogar`: `GatedOgarHandler`
27
+
wraps a `CapabilityExecutor` as a `graph-flow-action::ActionHandler`, so the
28
+
executor runs **only after the contract lands**. `run_gated` drives the whole
29
+
thing; `take_result()` is `None` iff the gate refused.
30
+
31
+
**The load-bearing proof is a negative.** The test
32
+
`unauthorized_action_is_blocked_before_execution` asserts `result.is_none()` — the
33
+
OGAR executor *never ran* because the gate said `Denied`. `mul_block_vetoes_before_execution`
34
+
proves the same for a MUL `Block` (`Escalated`, `None`). Only
35
+
`authorized_action_passes_the_gate_and_runs_the_command` reaches the real
36
+
`echo` → `{"output":"gated",…}`. The hard contract demonstrably lands *before*
37
+
execution, not alongside it.
38
+
39
+
**Why the coupling lives in the seam, not in `graph-flow-action`:**`ogar-from-schema`
40
+
carries no `lance-graph` dependency, so the two sides meet only at the seam crate's
41
+
API — no second `lance-graph-contract` enters the graph. The seam is the *only*
42
+
place the two repos' types touch. (Toolchain: rs-graph-llm pinned to 1.95.0 to
43
+
match the AdaWorldAPI stack it consumes via path deps.) This is the B1-uplink row
44
+
in the `ARAGO-ACTIONHANDLER-PARITY` scorecard and `D-ACTIONHANDLER-UPLINK` in the
45
+
discovery map.
46
+
47
+
---
48
+
10
49
## 2026-06-24 — E-ARAGO-ACTIONHANDLER-PARITY — OGAR is at full *contract + lifecycle* parity with arago's HIRO ActionHandler; the live daemon reduces to two glue bricks
| D‑ACTIONHANDLER‑PARITY | arago HIRO ActionHandler ⟷ OGAR: `assemble_action_handler` walks the OGIT `provides` graph (`ActionHandler→ActionApplicability→ActionCapability`) into `ActionHandlerSpec`/`CapabilitySlot`/`ApplicabilitySlot`/`ActionParam`. Config+ontology+`action-ws` protocol all map to OGAR types: arago `ModelFilter{Var,Mode,Value}`→`StateGuard`; `Capability.Name`→`predicate`; `resultParameters`→output sig; `action-ws` `submitAction→ack→sendActionResult` ⟷ `ActionInvocation` `Pending→Committed` (`commit_via` is the gate). **B2 protocol core SHIPPED + spec-faithful** (`action_ws`: all 6 `action-ws.yaml` message types — submitAction/sendActionResult/acknowledged/negativeAcknowledged/configChanged/error — + `submit_to_invocation`/`bind_parameters`/`invocation_to_result` (result=JSON string ≤1 MiB per spec) + connection consts (`ACTION_WS_PATH`, `auth_subprotocol`, `validate_id`); socket-free, `full_action_ws_roundtrip` proven; harvested from the HIRO 7.0 dev-portal specs §2a). **Reactive dispatch + B1 native executor SHIPPED**: `action_ws::handle_submit` (validate→ack/nack→bind→execute→result) over the `CapabilityExecutor` trait (the B1 seam); `ogar-action-handler::NativeCommandExecutor` runs `ExecuteCommand` for real (`full_dispatch_runs_a_real_command` — OGAR runs a command end-to-end). Remaining for a live drop-in: B2-transport (WS loop), B2-lift (REST registration parse), SSH/REST executor targets; gated on `PROBE‑OGAR‑ACTIONHANDLER‑RUN` | G (contract+protocol+native exec) / H (live socket) | CODED | `ogar-from-schema/src/{do_arm,action_ws}.rs`, `ogar-action-handler/`, `docs/ARAGO-ACTIONHANDLER-PARITY.md` | D‑HIRO‑DO, D‑MARS‑CLASSID |
214
+
| D‑ACTIONHANDLER‑UPLINK | The hard gate wired to the OGAR executor (cross‑repo seam): rs‑graph‑llm `graph-flow-action-ogar::GatedOgarHandler` wraps an OGAR `CapabilityExecutor` as a `graph-flow-action::ActionHandler`, so `dispatch_via`'s cold floor (`commit_via`: def‑match → RBAC `ClassRbac` → `StateGuard` → MUL) lands **before** the executor's `handle`. Structural proof the contract lands first: `take_result()`/`run_gated` returns `None` whenever the gate refused — unauthorized actor → `Denied` (executor never runs), MUL `Block` → `Escalated` (executor never runs); only the authorized path reaches `NativeCommandExecutor` and runs the real command (3 tests). Dependency hygiene held: `graph-flow-action` stays contract‑only (`I‑ACTIONHANDLER‑IS‑KGV‑NOT‑CHOKEPOINT`); `ogar-from-schema` carries no `lance-graph` dep — the two sides meet only at this crate's API (one `lance-graph-contract`). rs‑graph‑llm pinned to toolchain 1.95.0 to match the AdaWorldAPI stack | G | CODED | `rs-graph-llm/graph-flow-action-ogar/src/lib.rs` | D‑ACTIONHANDLER‑PARITY |
214
215
| D‑OSM |`ogar-from-osm-pbf` — Node/Way/Relation; quadkey NiblePath from resolved geometry | H | IDEA | (queued) | D‑VOCAB, `[per rt]` D‑OSM‑3 |
215
216
| D‑PATTERN |`ogar-pattern` — recognition library + confidence (FMA‑D/FIBO/SKR/PROV‑O) | H | IDEA | (queued) | D‑TTL |
216
217
| D‑ACTION |`ogar-actionable` — lifecycle → `ActionDef`/`KausalSpec`| H | IDEA | (queued) | D‑PATTERN |
0 commit comments